the role of identity enabled web services in cloud … role of identity enabled web services in...
TRANSCRIPT
The Role of Identity Enabled Web Services
in Cloud Computing
April 20, 2009
Patrick Harding
CTO
Agenda
● Web Services and the Cloud
● Identity Enabled Web Services
● Some Use Cases and Case Studies
● Questions
Copyright (c) 2009 Ping Identity Corporation 2
Web Services and The Cloud
Copyright (c) 2009 Ping Identity Corporation 3
• As Distributed Computing Evolves, Users are Pushed Further and Further Away from Applications
• How Do You Securely Control Access in an Increasingly Distributed World While Supporting Emerging Technologies like Web Services?
Applications Rely on Identity to Meet Fundamental Business Requirements
Copyright (c) 2009 Ping Identity Corporation
SaaS BPO
Cloud Apps Partner
Apps
4
Web Services Security Soup
Copyright (c) 2009 Ping Identity Corporation 5
Customers
Business Partners
Customer Service Reps
3rd Party Mashups
Web Service
SaaS
WS-Security
SAML
SSL
PKI
WS-Trust
REST
SOAP
XMLSignature
oAuth
Kerberos
X.509
Mobile
Web Portal
WS-SecurityPolicy
WS-SecureConversation
Gadgets/
Widgets
Username/Password
SaaS
Web Services and the Cloud
● Cloud Computing & SaaS are changing the requirements for addressing how to secure web services
● Cloud applications & SaaS will need to securely access on-premise data
Google Enterprise Developer Platform
SaaS Integration
● On premise applications will need to access SaaS API’s
Salesforce.com API’s are heavily used - 2 Billion API calls a month
Copyright (c) 2009 Ping Identity Corporation 6
Security & Integration
7 Copyright (c) 2009 Ping Identity Corporation
Identity Enabled Web Services
Copyright (c) 2009 Ping Identity Corporation 8
• Web Services Principles
• Standards-based, Loosely Coupled, Scalable Applications
• Most Current Security Approaches Violate Web Service Principles
• Customized, Tightly Coupled, Not Scalable, No Delegation
• e.g. Mutually Authenticated TLS, User Identity in SOAP Body
• Each Web Services app must know in advance where identity information is located in SOAP body; TLS session is point-to-point
Securing Web Services Today
Copyright (c) 2009 Ping Identity Corporation 9
• Encrypted, Signed, Standard WS-Security SOAP Message
• WS-Security SOAP Header Includes Standard WS-Trust Security Token with Identity Information
WS-Security Enables a New Standards-based Trust Model
Copyright (c) 2009 Ping Identity Corporation
Key Question: How To Create Security Tokens?
WS-Trust Security Token in WS-Security Header
10
11
WS-Trust Basics
● WS-Trust is an OASIS standard and an extension of WS-Security
● WS-Trust enables security token exchange
● A WS-Trust STS Issues and Validates Security Tokens
Kerberos, UserName/Password, X.509, SAML, ….
Copyright (c) 2009 Ping Identity Corporation
12
Identity Enabled Web Services
● WS-Security SAML Token Profile
● Enables Delegation
● STS Implements Federated Identity Concepts
Attribute Contracts
Session Integration
Attribute Retrieval
Subject, Attribute and Role Mapping
STS STS
Copyright (c) 2009 Ping Identity Corporation
13
Centralized Security Token Processing
Every Web Service Client and Provider Processes Security Tokens
● Gets Identity-Related Security and Crypto Code Out of Applications
● Centralized Administration, Auditing
● Requestor and Recipient Based Policy and Behavior
● Enables Web Services SSO with both Web Clients and Rich Clients
● Supports Client-Side, Provider-Side or Both
STS Handles All Security Token Processing
Without STS With STS
STS
Copyright (c) 2009 Ping Identity Corporation
What about oAuth?
• Open standard to secure REST based web service API’s between SaaS/Web 2.0 applications
• Driven by SaaS/Web 2.0 community
● oAuth handles delegated web service authentication
Secure API authentication
Secure access to web service data API’s
Generally with explicit user consent
Copyright (c) 2009 Ping Identity Corporation 14
‘Two Legged’ oAuth
oAuth
Service Provider
(Enterprise)
oAuth Consumer
(Google EDP)
1. Consumer Key and Secret
3. Call API with oAuth Signature API
STS
Browser
2. Request
Resource
15 Copyright (c) 2009 Ping Identity Corporation
‘Three Legged’ oAuth
Copyright (c) 2009 Ping Identity Corporation 16
Oauth
Service Provider OAuth Consumer
Browser
1. Consumer Key and Secret
6. User Redirect back with Authorized Request Token
5. User
Authenticates &
Handles User Consent
4. User Redirect with
Unauthorized Request Token
8. Call API with oAuth Signature & Access Token
2. Request
Resource
3. Get Unauthorized Request Token
7. Exchange Authorized Token for AccessToken API
10. Display
Resource
Use Cases & Case Studies
Copyright (c) 2009 Ping Identity Corporation 17
Web Services Use Cases
• Portal Initiated Web Services • Browser based app requires user specific data from internal or
external web services
• Security for Web Service Providers and SaaS API’s • Web service providers require authenticated user to authorize
access to user specific data
• Rich Desktop Clients • Desktop client applications SSO to web service providers inside
or outside of security domain
18 Copyright (c) 2009 Ping Identity Corporation
Federal Government
Web Service
Provider A
Browser Web Portal
SOAP API
Active Directory
Web Service
Provider B SOAP
API
STS
Enclave 1
Enclave 2
Enclave 3
Active Directory STS
Active Directory STS
1.
2.
3.
4.
5.
6.
19
Large Electronics Retailer
Retailer
Browser
3rd Party
Shopping Applications
Partner
STS
SOAP API
Customer DB
oAuth WS-*
REST API
1.
2.
3.
20
Recommendations
● Leverage SSL for Confidentiality
● Use SAML Tokens to Identity Enable SOAP Web Services
● Leverage a WS-Trust STS to Centralize SAML Token & Federation Processing
● Consider oAuth to secure your REST API’s
● … and check out the new PingFederate 6.0 up the back
21 Copyright (c) 2009 Ping Identity Corporation
Questions
Copyright (c) 2009 Ping Identity Corporation 22